Psst. Do You Know The Most Common Workplace Accidents and Injuries?

Did you know that maintaining a safe workplace can lower the cost of workers’ compensation insurance? It’s true. Employers with fewer workplace injury claims may enjoy valuable premium credits. Alternatively, employers with more injury claims may suffer higher insurance premiums. The resulting premium difference can be significant, particularly for employers, like those in Florida, who may be facing substantial premium increases.

Employers wanting to take advantage of the correlation between workplace injuries and insurance premiums need to implement safety programs that effectively reduce, if not eliminate, workplace injuries. The first step to developing an effective safety program is to identify the most common workplace accidents and the most common employee injuries.

Travelers recently analyzed more than 1.5 million workers’ compensation claims submitted from 2010 though 2014 to learn more about the most common and costliest workplace accidents and injuries. According to Travelers Injury Impact Report, the top five causes of workplace accidents were:

  • Material handling (32%)
  • Slips, trips and falls (16%)
  • Being struck by or colliding with an object (10%)
  • Tools (7%)
  • Cumulative trauma injury caused by overuse or strain over time (4%)

 

Material handling was actually the most common cause of accidents for all businesses and across all industries analyzed in the report. The most frequent material handling injuries were strains/sprains, cuts/punctures, contusions, inflammation and fractures. These injuries typically occur when employees are lifting, lowering, filling, emptying or carrying items.

The top five workers’ compensation injuries were:

  • Strains and sprains (30%)
  • Cuts or punctures (19%)
  • Contusions (12%)
  • Inflammation (5%)
  • Fractures (5%)

Except for small businesses, strains and sprains topped all lists for the most common type of injury. For small businesses, cuts or punctures were the most common injury—strains and sprains were second.

The average number of days away from work for the top 5 workplace injuries was:

  • Strains and sprains (57 days)
  • Cuts or punctures (24 days)
  • Contusions (27 days)
  • Inflammation (91 days)
  • Fractures (78 days)

It’s interesting, and perhaps fortunate, that the costliest injuries did not turn out to be the most common injuries. According to the report, the injuries with the highest average cost per claim were:

  • Amputation ($102,500)
  • Dislocation ($97,100)
  • Electric shock ($55,200)
  • Crushing ($54,600)
  • Multiple trauma ($42,400)

 

The average cost per claim involving the five most common injuries was:

  • Strains and sprains ($17,000)
  • Cuts or punctures ($8,200)
  • Contusions ($8,000)
  • Inflammation ($24,500)
  • Fractures ($42,400)

Employers have the ability to affect their workers’ compensation insurance premiums , for better or worse. Knowing how and why workplace injuries occur puts employers in a better position to develop and implement their own safety and training programs. When done effectively, employers may have fewer workplace injuries and may end up paying less for workers’ compensation insurance.

Please contact us if you would like more information about controlling workers’ compensation insurance costs.

Additional information is also available in our weekly Risk Management Newsletters.

What to do After an Accident?

In many of the approximately six million car accidents each year, taking immediate action after a crash can minimize damage to people and property. Since even minor accidents can leave you dazed and confused, we created this infographic to help you remember the steps you should take immediately after an accident… just in case.

If you would like a more detailed description of what to do, you can review our previous blog: Steps to Take after a Car Accident.

Some other helpful tools for you to use include this Accident Report (as mentioned in infographic) as well this Witness Report. You can print these documents and keep in your glove box to use for record keeping. While we hope you never need them, it may come in handy for you or a loved one.

Contact us if you have questions about what your insurance company may or may not provide after an accident. An expert at Setnor Byer Insurance & Risk can help you navigate the chaos and confusion that always seems to follow an accident. However, the best thing to do is speak with one of our experts before an accident occurs. We’ll make sure your policies are updated and find you the the best (and most affordable!) auto coverage.

For more tips and information, subscribe to Setnor Byer Insurance & Risk’s weekly risk management news brief.

Beware of Business Email Compromise (Whaling) Cyber Attacks in 2016

Business Email Compromise (BEC) attacks are sophisticated scams that compromise legitimate business e-mail accounts to conduct unauthorized fund transfers. These attacks are also called ‘whaling’ because they are similar to phishing, but on a larger scale. BEC attacks have grown in popularity in recent years, and are expected to pose a significant risk to businesses in 2016.

The FBI reported a 270% increase in BEC victims since January 2015, and nearly $750 million of actual and attempted U.S. losses since August 2015. Research conducted by Mimecast, an email security provider, found that 55% of organizations have seen an increase in BEC attacks over the last three months.

Using complaint data, the FBI identified four general versions of BEC attacks.

  • The Supplier Swindle. A business is asked by a current supplier to wire an invoice payment to a fraudulent account. Hackers use spoofed e-mails that appear very similar to a legitimate account.
  • CEO Fraud. Spoofed or hacked e-mail accounts of high-level business executives are used to request a wire transfer from an employee within the company who is normally responsible for processing these requests.
  • Fraudulent Invoices. An employee’s personal e-mail account is hacked and used to request invoice payments from multiple vendors identified in the employee’s contact list.
  • Attorney Scam. An employee is asked to quickly transfer funds by someone posing as an attorney who is handling a confidential or time-sensitive matter for the business.

BEC attacks are not random. Victims are specifically targeted by hackers using information that is made readily available on company websites and social media sites like Facebook, LinkedIn and Twitter. For example, LinkedIn can be used to map entire departments and reporting structures. Websites may also provide valuable information, such as email addresses, titles, responsibilities and even biographical information.

According to Mimecast, a BEC attack can be broken down into five phases.

  • Research: Criminals identify a target organization and its employees. Open source intelligence, social media and corporate websites are then used to build an accurate picture of the organization and identify key executives and finance team members.
  • Similar Domain Names: Criminals may then register a domain name that sounds or appears similar to that of the target company. For example, the domain ajaxcornpany.com could be used to spoof ajaxcompany.com. Were you able to spot the difference between the two?
  • Whale Emails: Criminals make initial contact by posing as a high-level executive and sending an innocuous email to a member of the finance team. These emails are typically innocuous, brief and to the point, such as “I need you to complete a task ASAP, are you in the office?”
  • Victim Tricked: Due to the research done before the attack, victims are likely to believe the email is genuine and respond accordingly. Criminals may then engage in email ‘small talk’ prior to requesting a wire transfer.
  • Wire Transfer: Victims, typically those with authority to initiate or approve financial transactions, are asked to transfer funds. Having no reason to doubt the authenticity of the request, the funds are transferred.

BEC attacks can be very difficult to identify. Since criminals don’t rely on emails with attachments or links, current barriers are often inadequate. Nevertheless, steps can be taken to protect against BEC attacks. For example, in addition to increased awareness, the FBI identified various preventative measures, such as:

 

  • Create detection system to flag e-mails with extensions that are similar to company e-mail.
  • Register all domains that are similar to the company’s actual domain.
  • Verify changes in vendor payment with two-factor authentication, like requiring secondary approval.
  • Confirm requests to transfer funds. If verifying over the phone, use previously known numbers, not the numbers provided in the e-mail request.
  • Know your customers.
  • Carefully scrutinize all e-mail requests to transfer funds.

 

Businesses should also consider cyber insurance coverage to protect against cyber attacks that could not be prevented. Unlike traditional commercial insurance, Cyber Liability and Security Breach (Cyber Perils) Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws.

We would be happy to provide you with more information about insurance for existing and emerging cyber threats.

Additional information is also available in our weekly Risk Management Newsletters.

Perhaps these predictions explain the growing number of businesses purchasing new cyber insurance policies or increasing coverage under existing cyber policies.

Condominium Associations Cannot Afford to Mishandle Service Animals

Condominium associations are often approached by unit owners or tenants requesting an accommodation to have a service animal, even though the animal itself, either because of its species or size, violates an association’s pet policy. Though it’s not always easy to tell the difference between a service animal and a pet, condominium associations cannot afford to make this kind of mistake. Since the law does not treat service animals like pets, neither can condominium associations.

The rights of an individual with disability to use a service animal is protected by federal and Florida law. For example, Florida’s Fair Housing Act prohibits discrimination in the sale, rental or availability of a dwelling, including any associated services or facilities, because of a person’s disability. Discrimination includes the refusal to make reasonable accommodations to rules, policies, practices or services that may be necessary to give a disabled person equal opportunity to use and enjoy a dwelling. Cases involving service animals typical allege a failure to provide a reasonable accommodation.

However, Florida has another law that specifically protects the use of service animals in housing accommodations. Florida’s service animal law, which was amended on July 1, 2015, states that an individual with a disability who has or obtains a service animal is entitled to full and equal access to all housing accommodations. Though this law prohibits charging extra compensation for a service animal, owners are liable for any damage caused by their service animal.

Florida’s service animal law protects individuals with physical or mental impairments that substantially limit a major life activity. Recognized mental or psychological disorders, including posttraumatic stress disorder (PTSD) and emotional or mental illnesses, are generally considered mental impairments under the law.

The law defines a service animal as an animal trained to do work or perform tasks for an individual with a disability. The work done or tasks performed must be directly related to an individual’s disability, and may include:

  • Guiding a person who is blind or visually impaired;
  • Alerting a person who is deaf or hard of hearing;
  • Assisting with mobility or balance;
  • Alerting and protecting a person who is having a seizure;
  • Helping a person with a psychiatric or neurological disability by preventing or interrupting impulsive or destructive behaviors;
  • Reminding a person with mental illness to take prescribed medications; and
  • Calming a person with PTSD during an anxiety attack.

Florida’s service animal law makes it a second degree misdemeanor for a housing accommodation to discriminate against an individual with a disability. However, as of July 1, 2015, a person using a service animal who knowingly and willfully misrepresents herself or himself as being qualified to use a service animal is also committing a second degree misdemeanor. If found guilty, this person must perform 30 hours of community service for an organization that serves individuals with disabilities or another organization determined by the court.

The consequences of mishandling a request for a service animal can be severe. Board members must recognize that service animal requests must be treated differently than other requests, and proceed cautiously to avoid unlawful conduct on the part of the association, seeking guidance or counsel, if necessary.

Setnor Byer Insurance & Risk is available to discuss ways to identify, manage and insure the risks facing condominium associations and their board members.

Additionally, clients of Setnor Byer’s Condominium Program enjoy access to various risk management services, such as Setnor Byer’s Risk Management Group and Unit Owners’ Report Line, as well as our affiliate’s Condominium Board Member Education Certification, which has been approved by the Division of Florida Condominiums, Timeshares, and Mobile Homes.

You can also receive additional information by subscribing to our weekly Risk Management Newsletters.

Why Are Risk Managers Increasingly Relying on Cyber Liability Insurance?

We hoped Anthem’s January data breach would be the last large-scale event of 2015. Our hopes were dashed by the Office of Personnel Management’s massive breach that exposed personal information of more than 20 million current, former and prospective federal employees and contractors. This is yet another reminder that every organization is at risk of suffering a data security breach.

Organizations should also know that the costs of a data security breach can be devastating. Consider the following results from NetDiligence’s 2014 analysis of 111 data breach insurance claims:

  • Most frequently exposed data: personally identifiable information (41%), private health information (21%) and payment card information (19%)
  • Most frequent cause: hackers (30%) and staff mistakes (14%)
  • Typical claims range: $30,000 to $400,000
  • Average claim payout: $733,109
  • Average per-record cost: $956.21
  • Average cost for crisis services: $366,484
  • Average cost for legal defense: $698,797
  • Average cost for legal settlement: $558,520

These staggering figures may explain the results of a 2015 survey of risk managers conducted by the Risk Management Society (RIMS). According to the survey, the top three first-party exposures are reputational harm (79%), business interruption (78%) and data breach response and notification (73%). Fifty-one percent of respondents purchased cyber insurance policies, while 74% are considering obtaining cyber coverage in the next 12 to 24 months.

The RIMS survey found that risk managers are buying the following coverages:

  • Breach notification costs (91%)
  • Cyber extortion (80%)
  • Network/business interruption (80%)
  • Data recovery (75%)
  • Fines and penalties (75%)
  • Reputational harm (44%)
  • Professional liability (43%)
  • Theft of trade secrets (29%)

The RIMS survey shows that risk managers are taking data security very seriously. Interestingly, the growing prevalence of cyber insurance suggests that preventative measures may not be enough. Even the most sophisticated security measures don’t always prevent data breaches.

The right Cyber Perils coverage can help organizations survive the continuing data breach epidemic. The key is finding a policy that meets organizational needs without unnecessary coverages. The complexity of cyber insurance makes it difficult to evaluate and compare various options, so an experienced insurance agent should be consulted to find coverage that is both adequate and affordable.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.

Homeowners’ Insurance Claims: By the Numbers

Homeowners insurance is designed to protect against losses to your home and its contents, as well as liability for accidents that may occur on the property. Since the United States homeownership rate is nearly 65%, homeowners’ insurance is an important topic for many of us. To get a better understanding about the nature of homeowners’ losses and insurance claims, let’s take a look at some research compiled by the Insurance Information Institute.

  • Approximately 1 in 15 insured homes have a claim each year.
  • Wind and hail claims, which are experienced by approximately 1 in 30 insured homes each year, are the most frequent.
  • Claims related to fire, lightning or debris removal, which are experienced by approximately 1 in 230 insured homes every year, are the costliest.
  • Approximately 1 in 55 insured homes have a damage claim caused by water or freezing each year.
  • Approximately 1 in 190 insured homes have a theft claim each year.
  • Approximately 1 in 830 homeowners have a liability claim related to the cost of lawsuits for the bodily injury or property damage of others.

Loss Claims

Loss claims can be calculated in terms of frequency and severity. Claims frequency is the average number of claims filed per 100 policies. According to the Insurance Services Office (ISO), the most frequent homeowners’ loss claims are:

  • Wind and hail (3.37)
  • Water damage and freezing (1.79)
  • All other property damage (1.04)
  • Theft (.52)
  • Fire, lightning and debris removal (.43)
  • Bodily injury and property damage (.12)

Claims severity is the average amount paid for each claim. According to ISO, the most severe homeowners’ loss claims are:

  • Fire, lightning and debris removal ($34,306)
  • Bodily injury and property damage ($18,804)
  • Wind and hail ($7,307)
  • Water damage and freezing ($7,195)
  • All other property damage ($4,684)
  • Theft ($3,428)

Content Claims

The Content Claims Index shows the top contents categories of homeowners’ claims filed with approximately 300 insurers. The top categories, ranked by dollar value as a percent of total claims, include:

  • Jewelry (16%)
  • Electronics (13%)
  • Apparel (13%)
  • Furniture (10%)
  • Tools (5%)
  • Appliances (4%)
  • Sporting goods (3%)

Injury Claims

According to the National Safety Council (NSC), injuries requiring medical attention occur more often at home than in public places, in the workplace and motor vehicle incidents combined. In 2012, one in 16 people experienced an unintentional injury in the home that required medical attention. The NSC identified the following causes of the 63,000 deaths from unintentional home injuries in 2012:

  • Poisoning (50.5%)
  • Falls (28.1%)
  • Other (12.1%)
  • Fire, flames or smoke (4.1%)
  • Choking (3.7%)
  • Drowning (1.6%)

In addition to showing how claims happen, these statistics show that claims are likely to happen. Adequate homeowners’ or renters’ insurance is the key to recovering after a claim. An experienced and reputable independent insurance agent can help you identify those risks associated with your home and obtain the right insurance coverage to protect it.

If you have any questions or would like to see how Setnor Byer Insurance & Risk can help protect your home, please contact us.

Are You Protecting Customers’ Credit and Debit Card Data?

It’s hard to ignore the fact that data security breaches seem to be increasing in frequency and severity, particularly those involving credit and debit card data. Just ask Home Depot, Michaels Stores, Neiman Marcus, or their 50+ million customers whose payment card data may have been compromised in 2014. To reduce the chances of making the list in 2015, preventative measures must be taken by every business that accepts credit and debit card payments.

The PCI Security Standards Council developed the Payment Card Industry Data Security Standard (PCI DSS) to encourage and enhance cardholder data security. This standard includes 12 requirements.

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall to protect cardholder data.
  • Do not use defaults for system passwords or security parameters.

Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data.

Maintain a Vulnerability Management Program

  • Protect systems against malware and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to cardholder data to those who need to know.
  • Identify and authenticate system access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to networks and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.

The PCI Security Standards Council also provides a number of tips and strategies to increase the security of payment card data, such as:

  • Never store Sensitive Authentication Data, such as the full track contents on the magnetic stripe or chip, card verification codes/values, or PINs.
  • Ask point-of-sale vendors about the security of payment card systems.
  • Do not store cardholder data that is not needed.
  • Consolidate and isolate cardholder data that is needed.

The Council notes that the PCI DSS provides minimum security requirements that may be enhanced by additional controls and practices. Various laws, rules or regulations may also require enhanced security measurers. For example, under the Fair and Accurate Credit Transaction Act (FACTA), electronically printed credit and debit card receipts given to customers cannot include a card’s expiration date or more than the last five digits of the card number.

Sometimes security measures aren’t enough to prevent a data security breach, so businesses should use insurance to manage their cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

A solid understanding of your insurance needs is the key to overcoming the quality versus cost argument. An experienced and reputable independent insurance agent can help you purchase insurance that is both economical and effective.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.

Office Holiday Parties: Revel without Regret

Many employers consider a company-wide holiday celebration an excellent opportunity for employees to mingle socially and get to know one another better. It’s also a chance for senior management to interact with employees they rarely see throughout the year. Though holiday parties can create a positive work environment, increase employee morale and promote teamwork, they can also expose employers to a number of potentially significant risks.

Perhaps the most significant risks involve alcohol. What happens if an employee becomes intoxicated and causes damage to something or someone? Though liability is determined on a case-by-case basis, employers may face a greater chance of being held responsible if:

  • Attendance is, or is perceived to be, mandatory (e.g., everybody knows that being seen by the Vice President will enhance one’s chances of a promotion);
  • The employer pays for or provides the alcohol; or
  • The employer conducts business during the holiday party.

Employers can take steps to reduce their potential liability, such as:

  • Collect car keys from all who drink. Toward the close of the party, assign designated drivers or call taxis for anyone who is too impaired to drive. If the party is in a hotel, reserve a block of rooms for the inebriated to spend the night.
  • Appoint someone in a position of authority to monitor alcohol consumption; including making certain that no alcohol is served to minors.
  • Serve a limited amount of alcohol, controlled through “drink coupons.” (i.e., two drinks per person). Close the bar once dinner begins.
  • Send a memo to all employees prior to the party stating clearly that a) employees who arrive inebriated will not be allowed in; b) employees cannot bring their own alcohol; c) excessive drinking will not be tolerated; and d) intoxication and inappropriate behavior at the party will be grounds for discipline.
  • Do not permit supervisors or managers to buy alcoholic beverages for employees.
  • Hold the party at an off-site location and use professional bartenders to serve and monitor alcohol consumption.

There are other risks employers should consider when planning and holding the annual office holiday party, such as:

Discrimination and Harassment: Lines are often blurred during an office party, so they are often crossed. Conduct that is inappropriate at work may be considered appropriate at a party, such as engaging in intimate conversations or acts, giving a racy gift or telling an off-color joke. Employers may be held liable for unlawful harassment or discrimination that takes place during a holiday party, even if it’s off-premises and off-the-clock. Consider redistribution of the sexual harassment policy, and remind employees that a holiday party is no excuse for inappropriate behavior, which will not be tolerated.

Premises Liability: Employees are often allowed to bring spouses and significant others to the office holiday party. Every ‘plus one’ accompanied by an employee is a potential slip-and-fall victim. Employers must make sure the workplace is safe before the party and keep it safe during the party.

Workers’ Compensation: Employees are typically covered by workers’ compensation if they are injured in the course and scope of their employment. Though getting hurt at a holiday party wouldn’t seem to be work-related, an employee may be covered by workers’ compensation if attendance at the party is explicitly or implicitly required (or ‘encouraged’). Tell employees the holiday party is purely a voluntary social event, and mean it.

Employers should review their insurance policies before the party to make sure they are covered in the event something happens during the holiday party. General liability, employment practices liability and workers’ compensation insurance may cover some of the risks created by the office holiday party. However, other risks may require additional insurance coverage, such as a policy that covers one-time events, including alcohol-related liability, which may be available for a small additional premium.

If you would like more information about how Setnor Byer Insurance & Risk can help protect your business during the holidays and year round, please contact us.

Protecting Against Emerging Data Security Threats

Cyber threats continue to top the list of concerns for individuals and businesses alike. With breaches becoming more common and more expensive, businesses are now discovering that steps must be taken to protect against data security breaches. Since understanding the risk is the first step to controlling it, let’s take a look at some observations made by Georgia Institute of Technology’s Information Security Center and Research Institute in their 2015 Emerging Cyber Threats Report.

Users are the greatest weakness to information security.

  • Though software vulnerabilities continue to be exploited, users remain the link most often exploited in attacks as cybercriminals continue to successfully abuse their trust.
  • Users often allow attackers to circumvent security measures.
  • Social engineering, which is also known as hacking humans, is a common and extremely effective way to attack systems. Sixty-seven percent of cyber attacks start with a phishing electronic communication sent by an attacker posing as a trustworthy person or business.
  • Training is an important piece of the security puzzle and one that businesses do not employ often enough. Forty-nine percent of businesses that do not perform employee security-awareness training pay the price — their annual losses are four times greater than those with a training process in place.

Attackers are increasingly targeting mobile devices.

  • As consumers and employees increasingly rely on mobile devices, their phones and linked cloud repositories have become treasure troves of information.
  • Increasing mobile app popularity and the proliferation of free apps relying on advertising for revenue have driven many developers to use vulnerable code that can be exploited. According to the report, in 2014, 91% of the top 200 iOS apps and 83% of the top 200 Android apps had some risky behavior.
  • Attackers follow the money, so the increasing use of mobile devices to make payments will draw their attention.
  • Android devices continue to bear the brunt of attackers’ focus. Since Android devices are targeted by malware 99% of time, users of these devices require better security measures and increased education about the risks.
  • Apple’s iOS ecosystem is not a safe haven. Researchers at Georgia Tech note that attackers have found ways around security measures, and that additional attacks should be expected.

Rogue workers can cause significant damage to a business.

  • The involvement of an insider causes the costs of data breaches to rise quickly.
  • Companies generally require more time to detect and respond to insider attacks, nearly 260 days, compared to 170 days for other attacks.
  • Incidents involving malicious insiders cost an average of $210,000 more to resolve.
  • Businesses should focus on protecting their “crown jewels” before expanding data-protection programs to cover broader kinds of information.
  • Businesses face a significant challenge looking for behavioral indicators that could detect the activities of a rogue insider.
  • Outreach to employees and access restrictions, such as splitting access rights to valuable data between two or more people, can make it much less likely for a single rogue insider to cause damage.

According to the report, the growing ‘Internet of Things’, which is the interconnection of uniquely identifiable devices (phones, tablets, etc.) to the Internet, will only make security issues more important in the future. By 2020, there could be 50 billion interconnected devices, so securing these devices and the data passed between them will be an ongoing challenge.

Since the risk of suffering a data security breach is likely to continue in the foreseeable future, businesses should consider insurance to protect against cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

If you would like to learn more about insuring against cyber risks, contact us.

If you’d like to subscribe to our weekly newsletters please click here.

Here We Go Again with Another Massive Data Security Breach

Before the dust could settle on Target’s data security breach, news of a potentially larger one has surfaced. On September 18, 2014, Home Depot confirmed that it suffered a data breach involving the debit and credit card information of approximately 56 million customers. Target’s breach involved approximately 40 million cards.

Home Depot’s breach involved payment card information for purchases made at U.S. and Canadian Home Depot stores from April to September, 2014. According to Home Depot, criminals used unique, custom-built malware not seen previously in other attacks to breach payment card systems. Though their investigation is ongoing, Home Depot said names, card numbers, expiration dates, cardholder verification values and service codes may have been compromised.

Seeing yet another large business with substantial resources suffer a massive data security breach should be more than enough to confirm that data security breaches can happen to any organization. Though preventing data breaches is becoming more difficult, businesses can take steps to reduce the risk.

A subsidiary of Reinsurer Munich Re recently held a presentation with cybersecurity experts and risk managers to show how cybercriminals choose their targets and access their systems. This presentation provided several key takeaways for businesses.

  • Businesses are not only viewed as targets by cybercriminals, but also as conduits to attack a business’s clients.
  • Businesses must identify any data that may be valuable to others, and keep only what is needed.
  • Most hackers use email and browsers to access a business’s systems.

The cybersecurity presentation identified 10 ways for businesses to prevent a data breach.

  • Outsource payment processing (point-of-sale, web payments) to take advantage of their sophisticated and dedicated security measures.
  • Separate social media from financial activity by using a dedicated device for online banking and a different device for email and social media.
  • Don’t reuse passwords and don’t trust websites to store them for you. Set up a two-factor authentication process that verifies identity by sending a secret code to your phone.
  • Train employees to protect sensitive and confidential information. Remind employees that most malicious attacks involve email, and that they should alert others when suspicious emails are received.
  • Identify risks by evaluating systems and networks, including email infrastructure and browser vulnerability. Learn how business associates (vendors, suppliers, partners) handle data security.
  • Mandate encryption for all data that is stored (at rest) and transmitted (in motion), and avoid the use of Wi-Fi networks if possible.
  • Use the latest web browser version that is available rather than relying on individual patches and updates.
  • Update operating systems to take advantage of built-in security improvements.
  • Secure routers connecting business computers to the Internet. Set strong administrator passwords and, if Wi-Fi is necessary, use a WPA2 password.
  • Encrypt backup data and store it off-site.

Home Depot is currently dealing with the consequences of its data security breach by investigating the breach, updating data security systems, notifying potential victims, providing free identity theft protection and adjusting its public relations to minimize the damage to its reputation. The costs of these efforts can be staggering. For businesses lacking the resources of the Target’s and Home Depot’s, these costs can be devastating.

As we have seen, nothing is foolproof, so businesses should use insurance to protect against cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.